3305d0c6b2a0434823acd2c46974f1f1919272ec89d4e20ef09e650d4ba92272

General

Target

314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe
Size

144KB
MD5

314fa4bbc486176e6b822143c681aa28
SHA1

a00c52c5be0250de933e1b3308766588e2b7d548
SHA256

3305d0c6b2a0434823acd2c46974f1f1919272ec89d4e20ef09e650d4ba92272
SHA512

3527dbc1aeb00effc7cc9e9fff43708cb03a10171a5bf57f916f3e2fda646eafc516affb168a3cc24ce2c9bdae23e5fcb1e5c9a6f0dc03d5114dd8f07ed452dd
SSDEEP

1536:9xXWjgnouy8p7XTTFz0xG4fEZ7zkh+FkLnXxffMv3B8AD9ww5kWi1c:9xXWcouthThIsLz2+yrp0v3B8SvkU

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2164	b2e.exe

Loads dropped DLL 2 IoCs

pid	Process
2064	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe
2064	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2064-1-0x0000000000400000-0x00000000004C8000-memory.dmp	upx
behavioral1/memory/2064-10-0x0000000000400000-0x00000000004C8000-memory.dmp	upx

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2948	shutdown.exe
Token: SeRemoteShutdownPrivilege	2948	shutdown.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2164	2064	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2164	2064	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2164	2064	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2164	2064	314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe	30
PID 2164 wrote to memory of 2940	2164	b2e.exe	31
PID 2164 wrote to memory of 2940	2164	b2e.exe	31
PID 2164 wrote to memory of 2940	2164	b2e.exe	31
PID 2164 wrote to memory of 2940	2164	b2e.exe	31
PID 2940 wrote to memory of 2948	2940	cmd.exe	33
PID 2940 wrote to memory of 2948	2940	cmd.exe	33
PID 2940 wrote to memory of 2948	2940	cmd.exe	33
PID 2940 wrote to memory of 2948	2940	cmd.exe	33
PID 2940 wrote to memory of 2380	2940	cmd.exe	35
PID 2940 wrote to memory of 2380	2940	cmd.exe	35
PID 2940 wrote to memory of 2380	2940	cmd.exe	35
PID 2940 wrote to memory of 2380	2940	cmd.exe	35
PID 2164 wrote to memory of 2848	2164	b2e.exe	36
PID 2164 wrote to memory of 2848	2164	b2e.exe	36
PID 2164 wrote to memory of 2848	2164	b2e.exe	36
PID 2164 wrote to memory of 2848	2164	b2e.exe	36

C:\Users\Admin\AppData\Local\Temp\314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\C4C5.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C4C5.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C4C5.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\314fa4bbc486176e6b822143c681aa28_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\C62C.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\shutdown.exe
      shutdown.exe -r -t 172800
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2948
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Tempmes.js"
      4⤵
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

1

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C62C.tmp\batchfile.bat

Filesize
492KB

MD5
671990fa199a285bd5d955f0991bf623

SHA1
d98e1a2fcf89e577f7f3b53ef411413aae96d343

SHA256
a2ac20aa614f642a7cf82ae85e54ad67c5aed9acbe5905805a5f473720a55f70

SHA512
2951655f3ef48d31d16da819260424acfc8feb4dd8145bbd206ebbda7f866149c1c400f65d54ff9a4838b22678ec02e7737c11a2aa36594270773817bdf52c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
54b01b364422a2497e0c4a16b071e8ee

SHA1
9dfb17a3c17e1b778505640afb5fa2455050a1bb

SHA256
78e47f5bf6716e336bebff1325b2088083633f3cfaf8d300542cbe380fd5e92c

SHA512
e1a4a5d256f396a13b760b82571cb9c93e804180b92f7c0d5dd972fe627a57ebe96ff3ef6b68abffa6d4416613f846e7e527ac77a5fe41e809e15a4e061464b4

Download Submit
C:\Users\Admin\AppData\Local\Tempmes.js

Filesize
587B

MD5
40f08f0b20e53ce9b9788aa3e531fbae

SHA1
55980bd8521128682766bdf25e0936cb574f867f

SHA256
0b5d8eb463cb9353a0c7ccdfa7a73f814d31e4635bf3519db7f569bb87870f84

SHA512
171dcf0cac0e0a2caf9e878d2d54bcd6070163721a704ed041211473129874a89f89aaab8134e9c68e8cf0d40397d833ab61d0ce4e0533bd6b816fcdbe689f09

Download Submit
\Users\Admin\AppData\Local\Temp\C4C5.tmp\b2e.exe

Filesize
500KB

MD5
59c2e19384bae6663cd6f27087d74f8c

SHA1
eec5c6bb13857f19d6dfc04e1df118a522415742

SHA256
87b18e8349c8f4c1d8bd7dd66438d927540b1350752bb72abfed0e0feee52daf

SHA512
38717ae4c8c33d67872b8fb813865cadcd2d169e61691d4cffff86dd08372e9609b68cb806cafd388671847b3ffd87d296a5318b103154ae86f686aa75fd98e9

Download Submit
memory/2064-1-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2064-10-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2164-12-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2164-79-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing